b'                       U.S. Environmental Protection Agency \t                                               09-P-0052\n                                                                                                      December 9, 2008\n                       Office of Inspector General\n\n\n                       At a Glance\n\n                                                                            Catalyst for Improving the Environment\n\n\nWhy We Did This Review            Results of Technical Network Vulnerability\nThe Office of Inspector\n                                  Assessment: Region 9\nGeneral contracted with\nWilliams, Adley & Company,         What Williams, Adley & Company, LLP, Found\nLLP, to conduct the annual\naudit of the U.S.                 Vulnerability testing of EPA\xe2\x80\x99s Region 9 network identified Internet Protocol\nEnvironmental Protection          addresses with high-risk and medium-risk vulnerabilities. Although Region 9 has\nAgency\xe2\x80\x99s (EPA\xe2\x80\x99s) compliance       taken actions to remediate most of the documented findings, several vulnerabilities\nwith the Federal Information      (both high and medium) still remain resolved.\nSecurity Management Act\n(FISMA). Williams, Adley &         What Williams, Adley & Company, LLP, Recommends\nCompany, LLP, conducted the\nnetwork vulnerability testing     Williams, Adley & Company, LLP, recommends that the Region 9 Director for\nof the Agency\xe2\x80\x99s local area        Information Resources Management and Technical Services Division:\nnetwork located at EPA\xe2\x80\x99s\nRegion 9 office in San            \xe2\x80\xa2\t Complete actions to address all unresolved vulnerability findings.\nFrancisco, California.\n                                  \xe2\x80\xa2\t Continue to work with the software vendor to resolve vulnerabilities. If the\n                                     vendor is unable to provide a solution, implement a compensating control to\nBackground                           resolve the risk.\n                                  \xe2\x80\xa2\t Enter a trouble ticket into EPA\xe2\x80\x99s REMEDY system to resolve the\nThe network vulnerability            vulnerabilities associated with the Internet Protocol addresses under the\ntesting was conducted to             National Computer Center\xe2\x80\x99s control.\nidentify any network risk         \xe2\x80\xa2\t Update EPA\xe2\x80\x99s Automated Security Self Evaluation and Remediation\nvulnerabilities and present the      Tracking (ASSERT) system.\nresults to the appropriate EPA\nofficials to promptly             \xe2\x80\xa2\t Perform a technical vulnerability assessment test of Region 9\xe2\x80\x99s network\nremediate or document                within 30 days to demonstrate and document corrective actions that have\nplanned actions to resolve the       resolved the vulnerabilities.\nvulnerability.\n                                  Due to the sensitive nature of this early warning report\xe2\x80\x99s technical findings, the\n                                  full report is not available to the public.\n\nFor further information,\ncontact our Office of\nCongressional, Public Affairs,\nand Management at\n(202) 566-2391.\n\x0c'